1. 26 Jan, 2015 21 commits
    • Alex Williamson's avatar
      driver core: Fix unbalanced device reference in drivers_probe · ce3740b1
      Alex Williamson authored
      commit bb34cb6b upstream.
      
      bus_find_device_by_name() acquires a device reference which is never
      released.  This results in an object leak, which on older kernels
      results in failure to release all resources of PCI devices.  libvirt
      uses drivers_probe to re-attach devices to the host after assignment
      and is therefore a common trigger for this leak.
      
      Example:
      
      # cd /sys/bus/pci/
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_cleanup, parent           (null)
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): calling ktype release
       kobject: '0000:01:10.0': free name
      
      [kobject freed as expected]
      
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0000:01:10.0 > drivers_probe
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
      
      [no free]
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ce3740b1
    • Andy Lutomirski's avatar
      x86, vdso: Use asm volatile in __getcpu · 779cf1d9
      Andy Lutomirski authored
      commit 1ddf0b1b upstream.
      
      In Linux 3.18 and below, GCC hoists the lsl instructions in the
      pvclock code all the way to the beginning of __vdso_clock_gettime,
      slowing the non-paravirt case significantly.  For unknown reasons,
      presumably related to the removal of a branch, the performance issue
      is gone as of
      
      e76b027e x86,vdso: Use LSL unconditionally for vgetcpu
      
      but I don't trust GCC enough to expect the problem to stay fixed.
      
      There should be no correctness issue, because the __getcpu calls in
      __vdso_vlock_gettime were never necessary in the first place.
      
      Note to stable maintainers: In 3.18 and below, depending on
      configuration, gcc 4.9.2 generates code like this:
      
           9c3:       44 0f 03 e8             lsl    %ax,%r13d
           9c7:       45 89 eb                mov    %r13d,%r11d
           9ca:       0f 03 d8                lsl    %ax,%ebx
      
      This patch won't apply as is to any released kernel, but I'll send a
      trivial backported version if needed.
      
      [
       Backported by Andy Lutomirski.  Should apply to all affected
       versions.  This fixes a functionality bug as well as a performance
       bug: buggy kernels can infinite loop in __vdso_clock_gettime on
       affected compilers.  See, for exammple:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=1178975
      ]
      
      Fixes: 51c19b4f x86: vdso: pvclock gettime support
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Acked-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      779cf1d9
    • Andy Lutomirski's avatar
      x86_64, vdso: Fix the vdso address randomization algorithm · 0c931216
      Andy Lutomirski authored
      commit 394f56fe upstream.
      
      The theory behind vdso randomization is that it's mapped at a random
      offset above the top of the stack.  To avoid wasting a page of
      memory for an extra page table, the vdso isn't supposed to extend
      past the lowest PMD into which it can fit.  Other than that, the
      address should be a uniformly distributed address that meets all of
      the alignment requirements.
      
      The current algorithm is buggy: the vdso has about a 50% probability
      of being at the very end of a PMD.  The current algorithm also has a
      decent chance of failing outright due to incorrect handling of the
      case where the top of the stack is near the top of its PMD.
      
      This fixes the implementation.  The paxtest estimate of vdso
      "randomisation" improves from 11 bits to 18 bits.  (Disclaimer: I
      don't know what the paxtest code is actually calculating.)
      
      It's worth noting that this algorithm is inherently biased: the vdso
      is more likely to end up near the end of its PMD than near the
      beginning.  Ideally we would either nix the PMD sharing requirement
      or jointly randomize the vdso and the stack to reduce the bias.
      
      In the mean time, this is a considerable improvement with basically
      no risk of compatibility issues, since the allowed outputs of the
      algorithm are unchanged.
      
      As an easy test, doing this:
      
      for i in `seq 10000`
        do grep -P vdso /proc/self/maps |cut -d- -f1
      done |sort |uniq -d
      
      used to produce lots of output (1445 lines on my most recent run).
      A tiny subset looks like this:
      
      7fffdfffe000
      7fffe01fe000
      7fffe05fe000
      7fffe07fe000
      7fffe09fe000
      7fffe0bfe000
      7fffe0dfe000
      
      Note the suspicious fe000 endings.  With the fix, I get a much more
      palatable 76 repeated addresses.
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0c931216
    • Paolo Bonzini's avatar
      kvm: x86: drop severity of "generation wraparound" message · 33309bc1
      Paolo Bonzini authored
      commit a629df7e upstream.
      
      Since most virtual machines raise this message once, it is a bit annoying.
      Make it KERN_DEBUG severity.
      
      Fixes: 7a2e8aafSigned-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      33309bc1
    • Giedrius Statkevičius's avatar
      HID: Add a new id 0x501a for Genius MousePen i608X · 6bbd1764
      Giedrius Statkevičius authored
      commit 2bacedad upstream.
      
      New Genius MousePen i608X devices have a new id 0x501a instead of the
      old 0x5011 so add a new #define with "_2" appended and change required
      places.
      
      The remaining two checkpatch warnings about line length
      being over 80 characters are present in the original files too and this
      patch was made in the same style (no line break).
      
      Just adding a new id and changing the required places should make the
      new device work without any issues according to the bug report in the
      following url.
      
      This patch was made according to and fixes:
      https://bugzilla.kernel.org/show_bug.cgi?id=67111Signed-off-by: default avatarGiedrius Statkevičius <giedrius.statkevicius@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6bbd1764
    • Karl Relton's avatar
      HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard · 19fd1c1a
      Karl Relton authored
      commit da940db4 upstream.
      
      Apple bluetooth wireless keyboard (sold in UK) has always reported zero
      for battery strength no matter what condition the batteries are actually
      in. With this patch applied (applying same quirk as other Apple
      keyboards), the battery strength is now correctly reported.
      Signed-off-by: default avatarKarl Relton <karllinuxtest.relton@ntlworld.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      19fd1c1a
    • Dan Carpenter's avatar
      HID: roccat: potential out of bounds in pyra_sysfs_write_settings() · 126193e0
      Dan Carpenter authored
      commit 606185b2 upstream.
      
      This is a static checker fix.  We write some binary settings to the
      sysfs file.  One of the settings is the "->startup_profile".  There
      isn't any checking to make sure it fits into the
      pyra->profile_settings[] array in the profile_activated() function.
      
      I added a check to pyra_sysfs_write_settings() in both places because
      I wasn't positive that the other callers were correct.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      126193e0
    • Gwendal Grignou's avatar
      HID: i2c-hid: prevent buffer overflow in early IRQ · f0a431e7
      Gwendal Grignou authored
      commit d1c7e29e upstream.
      
      Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
      64 bytes. While processing the IRQ, we were asking to receive up to
      wMaxInputLength bytes, which can be bigger than 64 bytes.
      
      Later, when ->start is run, a proper bufsize will be calculated.
      
      Given wMaxInputLength is said to be unreliable in other part of the
      code, set to receive only what we can even if it results in truncated
      reports.
      Signed-off-by: default avatarGwendal Grignou <gwendal@chromium.org>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f0a431e7
    • Jean-Baptiste Maneyrol's avatar
      HID: i2c-hid: fix race condition reading reports · 5927cd03
      Jean-Baptiste Maneyrol authored
      commit 6296f4a8 upstream.
      
      Current driver uses a common buffer for reading reports either
      synchronously in i2c_hid_get_raw_report() and asynchronously in
      the interrupt handler.
      There is race condition if an interrupt arrives immediately after
      the report is received in i2c_hid_get_raw_report(); the common
      buffer is modified by the interrupt handler with the new report
      and then i2c_hid_get_raw_report() proceed using wrong data.
      
      Fix it by using a separate buffers for synchronous reports.
      Signed-off-by: default avatarJean-Baptiste Maneyrol <jmaneyrol@invensense.com>
      [Antonio Borneo: cleanup, rebase to v3.17, submit mainline]
      Signed-off-by: default avatarAntonio Borneo <borneo.antonio@gmail.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5927cd03
    • Jiang Liu's avatar
      iommu/vt-d: Fix an off-by-one bug in __domain_mapping() · b377e72c
      Jiang Liu authored
      commit cc4f14aa upstream.
      
      There's an off-by-one bug in function __domain_mapping(), which may
      trigger the BUG_ON(nr_pages < lvl_pages) when
      	(nr_pages + 1) & superpage_mask == 0
      
      The issue was introduced by commit 9051aa02 "intel-iommu: Combine
      domain_pfn_mapping() and domain_sg_mapping()", which sets sg_res to
      "nr_pages + 1" to avoid some of the 'sg_res==0' code paths.
      
      It's safe to remove extra "+1" because sg_res is only used to calculate
      page size now.
      Reported-And-Tested-by: default avatarSudeep Dutt <sudeep.dutt@intel.com>
      Signed-off-by: default avatarJiang Liu <jiang.liu@linux.intel.com>
      Acked-By: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b377e72c
    • Richard Weinberger's avatar
      UBI: Fix double free after do_sync_erase() · d97a9dc7
      Richard Weinberger authored
      commit aa5ad3b6 upstream.
      
      If the erase worker is unable to erase a PEB it will
      free the ubi_wl_entry itself.
      The failing ubi_wl_entry must not free()'d again after
      do_sync_erase() returns.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d97a9dc7
    • Richard Weinberger's avatar
      UBI: Fix invalid vfree() · b4725475
      Richard Weinberger authored
      commit f38aed97 upstream.
      
      The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
      In ubi_start_update() vol->updating is set long before vmalloc()'ing
      vol->upd_buf. If we encounter a write failure in ubi_start_update()
      before vmalloc() the UBI device release function will try to vfree()
      vol->upd_buf because vol->updating is set.
      Fix this by allocating vol->upd_buf directly after setting vol->updating.
      
      Fixes:
      [   31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
      [   31.559340] ------------[ cut here ]------------
      [   31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
      [   31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
      [   31.559345] Modules linked in:
      [   31.565620]  0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
      [   31.566347]  ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
      [   31.567073]  0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
      [   31.567793] Call Trace:
      [   31.568034]  [<ffffffff818f0497>] dump_stack+0x4e/0x7a
      [   31.568510]  [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
      [   31.569084]  [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
      [   31.569628]  [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
      [   31.570155]  [<ffffffff81179265>] vfs_write+0xb5/0x1f0
      [   31.570627]  [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
      [   31.571123]  [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b4725475
    • Tony Lindgren's avatar
      pstore-ram: Allow optional mapping with pgprot_noncached · ca6a4563
      Tony Lindgren authored
      commit 027bc8b0 upstream.
      
      On some ARMs the memory can be mapped pgprot_noncached() and still
      be working for atomic operations. As pointed out by Colin Cross
      <ccross@android.com>, in some cases you do want to use
      pgprot_noncached() if the SoC supports it to see a debug printk
      just before a write hanging the system.
      
      On ARMs, the atomic operations on strongly ordered memory are
      implementation defined. So let's provide an optional kernel parameter
      for configuring pgprot_noncached(), and use pgprot_writecombine() by
      default.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robherring2@gmail.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: Anton Vorontsov <anton@enomsg.org>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Russell King <linux@arm.linux.org.uk>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ca6a4563
    • Rob Herring's avatar
      pstore-ram: Fix hangs by using write-combine mappings · 1c5988f8
      Rob Herring authored
      commit 7ae9cb81 upstream.
      
      Currently trying to use pstore on at least ARMs can hang as we're
      mapping the peristent RAM with pgprot_noncached().
      
      On ARMs, pgprot_noncached() will actually make the memory strongly
      ordered, and as the atomic operations pstore uses are implementation
      defined for strongly ordered memory, they may not work. So basically
      atomic operations have undefined behavior on ARM for device or strongly
      ordered memory types.
      
      Let's fix the issue by using write-combine variants for mappings. This
      corresponds to normal, non-cacheable memory on ARM. For many other
      architectures, this change does not change the mapping type as by
      default we have:
      
      #define pgprot_writecombine pgprot_noncached
      
      The reason why pgprot_noncached() was originaly used for pstore
      is because Colin Cross <ccross@android.com> had observed lost
      debug prints right before a device hanging write operation on some
      systems. For the platforms supporting pgprot_noncached(), we can
      add a an optional configuration option to support that. But let's
      get pstore working first before adding new features.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Anton Vorontsov <cbouatmailru@gmail.com>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: linux-kernel@vger.kernel.org
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRob Herring <rob.herring@calxeda.com>
      [tony@atomide.com: updated description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1c5988f8
    • Myron Stowe's avatar
      PCI: Restore detection of read-only BARs · eba8e5d2
      Myron Stowe authored
      commit 36e81648 upstream.
      
      Commit 6ac665c6 ("PCI: rewrite PCI BAR reading code") masked off
      low-order bits from 'l', but not from 'sz'.  Both are passed to pci_size(),
      which compares 'base == maxbase' to check for read-only BARs.  The masking
      of 'l' means that comparison will never be 'true', so the check for
      read-only BARs no longer works.
      
      Resolve this by also masking off the low-order bits of 'sz' before passing
      it into pci_size() as 'maxbase'.  With this change, pci_size() will once
      again catch the problems that have been encountered to date:
      
        - AGP aperture BAR of AMD-7xx host bridges: if the AGP window is
          disabled, this BAR is read-only and read as 0x00000008 [1]
      
        - BARs 0-4 of ALi IDE controllers can be non-zero and read-only [1]
      
        - Intel Sandy Bridge - Thermal Management Controller [8086:0103];
          BAR 0 returning 0xfed98004 [2]
      
        - Intel Xeon E5 v3/Core i7 Power Control Unit [8086:2fc0];
          Bar 0 returning 0x00001a [3]
      
      Link: [1] https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/drivers/pci/probe.c?id=1307ef6621991f1c4bc3cec1b5a4ebd6fd3d66b9 ("PCI: probing read-only BARs" (pre-git))
      Link: [2] https://bugzilla.kernel.org/show_bug.cgi?id=43331
      Link: [3] https://bugzilla.kernel.org/show_bug.cgi?id=85991Reported-by: default avatarWilliam Unruh <unruh@physics.ubc.ca>
      Reported-by: default avatarMartin Lucina <martin@lucina.net>
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Matthew Wilcox <willy@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      eba8e5d2
    • Paul Mackerras's avatar
      powerpc/powernv: Switch off MMU before entering nap/sleep/rvwinkle mode · 02b586bf
      Paul Mackerras authored
      commit 8117ac6a upstream.
      
      Currently, when going idle, we set the flag indicating that we are in
      nap mode (paca->kvm_hstate.hwthread_state) and then execute the nap
      (or sleep or rvwinkle) instruction, all with the MMU on.  This is bad
      for two reasons: (a) the architecture specifies that those instructions
      must be executed with the MMU off, and in fact with only the SF, HV, ME
      and possibly RI bits set, and (b) this introduces a race, because as
      soon as we set the flag, another thread can switch the MMU to a guest
      context.  If the race is lost, this thread will typically start looping
      on relocation-on ISIs at 0xc...4400.
      
      This fixes it by setting the MSR as required by the architecture before
      setting the flag or executing the nap/sleep/rvwinkle instruction.
      
      [ shreyas@linux.vnet.ibm.com: Edited to handle LE ]
      Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
      Signed-off-by: default avatarShreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: linuxppc-dev@lists.ozlabs.org
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      02b586bf
    • Anton Blanchard's avatar
      powerpc: Fix bad NULL pointer check in udbg_uart_getc_poll() · c6fdf6dc
      Anton Blanchard authored
      commit cd32e2dc upstream.
      
      We have some code in udbg_uart_getc_poll() that tries to protect
      against a NULL udbg_uart_in, but gets it all wrong.
      
      Found with the LLVM static analyzer (scan-build).
      
      Fixes: 30925748 ("powerpc: Cleanup udbg_16550 and add support for LPC PIO-only UARTs")
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      [mpe: Add some newlines for readability while we're here]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c6fdf6dc
    • Andrew Jackson's avatar
      ASoC: dwc: Ensure FIFOs are flushed to prevent channel swap · e3ab75ed
      Andrew Jackson authored
      commit 3475c3d0 upstream.
      
      Flush the FIFOs when the stream is prepared for use.  This avoids
      an inadvertent swapping of the left/right channels if the FIFOs are
      not empty at startup.
      Signed-off-by: default avatarAndrew Jackson <Andrew.Jackson@arm.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e3ab75ed
    • Jarkko Nikula's avatar
      ASoC: max98090: Fix ill-defined sidetone route · 63c9d407
      Jarkko Nikula authored
      commit 48826ee5 upstream.
      
      Commit 5fe5b767 ("ASoC: dapm: Do not pretend to support controls for non
      mixer/mux widgets") revealed ill-defined control in a route between
      "STENL Mux" and DACs in max98090.c:
      
      max98090 i2c-193C9890:00: Control not supported for path STENL Mux -> [NULL] -> DACL
      max98090 i2c-193C9890:00: ASoC: no dapm match for STENL Mux --> NULL --> DACL
      max98090 i2c-193C9890:00: ASoC: Failed to add route STENL Mux -> NULL -> DACL
      max98090 i2c-193C9890:00: Control not supported for path STENL Mux -> [NULL] -> DACR
      max98090 i2c-193C9890:00: ASoC: no dapm match for STENL Mux --> NULL --> DACR
      max98090 i2c-193C9890:00: ASoC: Failed to add route STENL Mux -> NULL -> DACR
      
      Since there is no control between "STENL Mux" and DACs the control name must
      be NULL not "NULL".
      Signed-off-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      63c9d407
    • Lars-Peter Clausen's avatar
      ASoC: sigmadsp: Refuse to load firmware files with a non-supported version · e1d6f7ff
      Lars-Peter Clausen authored
      commit 50c0f21b upstream.
      
      Make sure to check the version field of the firmware header to make sure to
      not accidentally try to parse a firmware file with a different layout.
      Trying to do so can result in loading invalid firmware code to the device.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e1d6f7ff
    • Felix Fietkau's avatar
      ath5k: fix hardware queue index assignment · 939c0896
      Felix Fietkau authored
      commit 9e4982f6 upstream.
      
      Like with ath9k, ath5k queues also need to be ordered by priority.
      queue_info->tqi_subtype already contains the correct index, so use it
      instead of relying on the order of ath5k_hw_setup_tx_queue calls.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      939c0896
  2. 14 Jan, 2015 7 commits
  3. 13 Jan, 2015 2 commits
    • Jiri Slaby's avatar
      Linux 3.12.36 · f6101957
      Jiri Slaby authored
      f6101957
    • Kirill A. Shutemov's avatar
      thp: close race between split and zap huge pages · 198717b6
      Kirill A. Shutemov authored
      commit b5a8cad3 upstream.
      
      [stable 3.12 note]
      This commit was supposed to fix a completely other issue. But in 3.12,
      with commit f72e7dcd (mm: let
      mm_find_pmd fix buggy race with THP fault), we need this commit as
      well (it fixes the issue as a by-product). Hugh Dickins writes:
      <== citation starts here>
      Fine for this to go in, but there is one catch, which I discovered
      when backporting to v3.11: it needed one more hunk.  I haven't checked
      your base tree, but if this applies then I believe you need it - most
      of the time no problem, but it can case page migration to fail to find
      a migration entry it inserted earlier, then BUG_ON(!PageLocked(p)) in
      migration_entry_to_page() soon after.  Here's what I wrote back then:
      
      Note on rebase to v3.11: added a hunk to replace the use of
      mm_find_pmd() in page_check_address_pmd().  This call had been
      similarly replaced by the time of my v3.16 commit, in Kirill
      Shutemov's v3.15 b5a8cad3 ("thp: close race between split and zap
      huge pages"): which we do not need as such, since it's fixing v3.13
      117b0791 ("mm, thp: move ptl taking inside
      page_check_address_pmd()"), from a split page-table-lock series we are
      not backporting.  But without this additional hunk, rmap sometimes
      broke when the new semantic for mm_find_pmd() was used here.
      <== end of citation>
      
      But instead of appending hunks to commits, I am taking a full,
      backported version of commit b5a8cad3 with this note prepended.
      
      So the changelog of b5a8cad3 is left below, but does not apply to
      3.12 yet.
      [=== stable 3.12 note ends here]
      
      Sasha Levin has reported two THP BUGs[1][2].  I believe both of them
      have the same root cause.  Let's look to them one by one.
      
      The first bug[1] is "kernel BUG at mm/huge_memory.c:1829!".  It's
      BUG_ON(mapcount != page_mapcount(page)) in __split_huge_page().  From my
      testing I see that page_mapcount() is higher than mapcount here.
      
      I think it happens due to race between zap_huge_pmd() and
      page_check_address_pmd().  page_check_address_pmd() misses PMD which is
      under zap:
      
      	CPU0						CPU1
      						zap_huge_pmd()
      						  pmdp_get_and_clear()
      __split_huge_page()
        anon_vma_interval_tree_foreach()
          __split_huge_page_splitting()
            page_check_address_pmd()
              mm_find_pmd()
      	  /*
      	   * We check if PMD present without taking ptl: no
      	   * serialization against zap_huge_pmd(). We miss this PMD,
      	   * it's not accounted to 'mapcount' in __split_huge_page().
      	   */
      	  pmd_present(pmd) == 0
      
        BUG_ON(mapcount != page_mapcount(page)) // CRASH!!!
      
      						  page_remove_rmap(page)
      						    atomic_add_negative(-1, &page->_mapcount)
      
      The second bug[2] is "kernel BUG at mm/huge_memory.c:1371!".
      It's VM_BUG_ON_PAGE(!PageHead(page), page) in zap_huge_pmd().
      
      This happens in similar way:
      
      	CPU0						CPU1
      						zap_huge_pmd()
      						  pmdp_get_and_clear()
      						  page_remove_rmap(page)
      						    atomic_add_negative(-1, &page->_mapcount)
      __split_huge_page()
        anon_vma_interval_tree_foreach()
          __split_huge_page_splitting()
            page_check_address_pmd()
              mm_find_pmd()
      	  pmd_present(pmd) == 0	/* The same comment as above */
        /*
         * No crash this time since we already decremented page->_mapcount in
         * zap_huge_pmd().
         */
        BUG_ON(mapcount != page_mapcount(page))
      
        /*
         * We split the compound page here into small pages without
         * serialization against zap_huge_pmd()
         */
        __split_huge_page_refcount()
      						VM_BUG_ON_PAGE(!PageHead(page), page); // CRASH!!!
      
      So my understanding the problem is pmd_present() check in mm_find_pmd()
      without taking page table lock.
      
      The bug was introduced by me commit with commit 117b0791. Sorry for
      that. :(
      
      Let's open code mm_find_pmd() in page_check_address_pmd() and do the
      check under page table lock.
      
      Note that __page_check_address() does the same for PTE entires
      if sync != 0.
      
      I've stress tested split and zap code paths for 36+ hours by now and
      don't see crashes with the patch applied. Before it took <20 min to
      trigger the first bug and few hours for second one (if we ignore
      first).
      
      [1] https://lkml.kernel.org/g/<53440991.9090001@oracle.com>
      [2] https://lkml.kernel.org/g/<5310C56C.60709@oracle.com>
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Tested-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Bob Liu <lliubbo@gmail.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      198717b6
  4. 10 Jan, 2015 1 commit
  5. 09 Jan, 2015 3 commits
    • Hugh Dickins's avatar
      mm: let mm_find_pmd fix buggy race with THP fault · e1c34dac
      Hugh Dickins authored
      commit f72e7dcd upstream.
      
      Trinity has reported:
      
          BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
          IP: __lock_acquire (kernel/locking/lockdep.c:3070 (discriminator 1))
          CPU: 6 PID: 16173 Comm: trinity-c364 Tainted: G        W
                                  3.15.0-rc1-next-20140415-sasha-00020-gaa90d09 #398
          lock_acquire (arch/x86/include/asm/current.h:14
                        kernel/locking/lockdep.c:3602)
          _raw_spin_lock (include/linux/spinlock_api_smp.h:143
                          kernel/locking/spinlock.c:151)
          remove_migration_pte (mm/migrate.c:137)
          rmap_walk (mm/rmap.c:1628 mm/rmap.c:1699)
          remove_migration_ptes (mm/migrate.c:224)
          migrate_pages (mm/migrate.c:922 mm/migrate.c:960 mm/migrate.c:1126)
          migrate_misplaced_page (mm/migrate.c:1733)
          __handle_mm_fault (mm/memory.c:3762 mm/memory.c:3812 mm/memory.c:3925)
          handle_mm_fault (mm/memory.c:3948)
          __get_user_pages (mm/memory.c:1851)
          __mlock_vma_pages_range (mm/mlock.c:255)
          __mm_populate (mm/mlock.c:711)
          SyS_mlockall (include/linux/mm.h:1799 mm/mlock.c:817 mm/mlock.c:791)
      
      I believe this comes about because, whereas collapsing and splitting THP
      functions take anon_vma lock in write mode (which excludes concurrent
      rmap walks), faulting THP functions (write protection and misplaced
      NUMA) do not - and mostly they do not need to.
      
      But they do use a pmdp_clear_flush(), set_pmd_at() sequence which, for
      an instant (indeed, for a long instant, given the inter-CPU TLB flush in
      there), leaves *pmd neither present not trans_huge.
      
      Which can confuse a concurrent rmap walk, as when removing migration
      ptes, seen in the dumped trace.  Although that rmap walk has a 4k page
      to insert, anon_vmas containing THPs are in no way segregated from
      4k-page anon_vmas, so the 4k-intent mm_find_pmd() does need to cope with
      that instant when a trans_huge pmd is temporarily absent.
      
      I don't think we need strengthen the locking at the THP end: it's easily
      handled with an ACCESS_ONCE() before testing both conditions.
      
      And since mm_find_pmd() had only one caller who wanted a THP rather than
      a pmd, let's slightly repurpose it to fail when it hits a THP or
      non-present pmd, and open code split_huge_page_address() again.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Konstantin Khlebnikov <koct9i@gmail.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Bob Liu <bob.liu@oracle.com>
      Cc: Christoph Lameter <cl@gentwo.org>
      Cc: Dave Jones <davej@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e1c34dac
    • Johan Hovold's avatar
      mfd: viperboard: Fix platform-device id collision · 0702a76d
      Johan Hovold authored
      commit b6684228 upstream.
      
      Allow more than one viperboard to be connected by registering with
      PLATFORM_DEVID_AUTO instead of PLATFORM_DEVID_NONE.
      
      The subdevices are currently registered with PLATFORM_DEVID_NONE, which
      will cause a name collision on the platform bus when a second viperboard
      is plugged in:
      
      viperboard 1-2.4:1.0: version 0.00 found at bus 001 address 004
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 181 at /home/johan/work/omicron/src/linux/fs/sysfs/dir.c:31 sysfs_warn_dup+0x74/0x84()
      sysfs: cannot create duplicate filename '/bus/platform/devices/viperboard-gpio'
      Modules linked in: i2c_viperboard viperboard netconsole [last unloaded: viperboard]
      CPU: 0 PID: 181 Comm: bash Tainted: G        W      3.17.0-rc6 #1
      [<c0016bf4>] (unwind_backtrace) from [<c0013860>] (show_stack+0x20/0x24)
      [<c0013860>] (show_stack) from [<c04305f8>] (dump_stack+0x24/0x28)
      [<c04305f8>] (dump_stack) from [<c0040fb4>] (warn_slowpath_common+0x80/0x98)
      [<c0040fb4>] (warn_slowpath_common) from [<c004100c>] (warn_slowpath_fmt+0x40/0x48)
      [<c004100c>] (warn_slowpath_fmt) from [<c016f1bc>] (sysfs_warn_dup+0x74/0x84)
      [<c016f1bc>] (sysfs_warn_dup) from [<c016f548>] (sysfs_do_create_link_sd.isra.2+0xcc/0xd0)
      [<c016f548>] (sysfs_do_create_link_sd.isra.2) from [<c016f588>] (sysfs_create_link+0x3c/0x48)
      [<c016f588>] (sysfs_create_link) from [<c02867ec>] (bus_add_device+0x12c/0x1e0)
      [<c02867ec>] (bus_add_device) from [<c0284820>] (device_add+0x410/0x584)
      [<c0284820>] (device_add) from [<c0289440>] (platform_device_add+0xd8/0x26c)
      [<c0289440>] (platform_device_add) from [<c02a5ae4>] (mfd_add_device+0x240/0x344)
      [<c02a5ae4>] (mfd_add_device) from [<c02a5ce0>] (mfd_add_devices+0xb8/0x110)
      [<c02a5ce0>] (mfd_add_devices) from [<bf00d1c8>] (vprbrd_probe+0x160/0x1b0 [viperboard])
      [<bf00d1c8>] (vprbrd_probe [viperboard]) from [<c030c000>] (usb_probe_interface+0x1bc/0x2a8)
      [<c030c000>] (usb_probe_interface) from [<c028768c>] (driver_probe_device+0x14c/0x3ac)
      [<c028768c>] (driver_probe_device) from [<c02879e4>] (__driver_attach+0xa4/0xa8)
      [<c02879e4>] (__driver_attach) from [<c0285698>] (bus_for_each_dev+0x70/0xa4)
      [<c0285698>] (bus_for_each_dev) from [<c0287030>] (driver_attach+0x2c/0x30)
      [<c0287030>] (driver_attach) from [<c030a288>] (usb_store_new_id+0x170/0x1ac)
      [<c030a288>] (usb_store_new_id) from [<c030a2f8>] (new_id_store+0x34/0x3c)
      [<c030a2f8>] (new_id_store) from [<c02853ec>] (drv_attr_store+0x30/0x3c)
      [<c02853ec>] (drv_attr_store) from [<c016eaa8>] (sysfs_kf_write+0x5c/0x60)
      [<c016eaa8>] (sysfs_kf_write) from [<c016dc68>] (kernfs_fop_write+0xd4/0x194)
      [<c016dc68>] (kernfs_fop_write) from [<c010fe40>] (vfs_write+0xb4/0x1c0)
      [<c010fe40>] (vfs_write) from [<c01104a8>] (SyS_write+0x4c/0xa0)
      [<c01104a8>] (SyS_write) from [<c000f900>] (ret_fast_syscall+0x0/0x48)
      ---[ end trace 98e8603c22d65817 ]---
      viperboard 1-2.4:1.0: Failed to add mfd devices to core.
      viperboard: probe of 1-2.4:1.0 failed with error -17
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0702a76d
    • Linus Walleij's avatar
      mfd: stmpe: Fix STMPE24xx GPMR LSB · 83ee5961
      Linus Walleij authored
      commit 871c3cf4 upstream.
      
      The least significat byte of the GPIO value read register
      on the STMPE24xx series is on addres 0xA4 not 0xA5. Correct
      against datasheet and tested on the STMPE2401 hardware.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      83ee5961
  6. 07 Jan, 2015 6 commits
    • Filipe Manana's avatar
      Btrfs: fix fs corruption on transaction abort if device supports discard · bc5e18c1
      Filipe Manana authored
      commit 678886bd upstream.
      
      When we abort a transaction we iterate over all the ranges marked as dirty
      in fs_info->freed_extents[0] and fs_info->freed_extents[1], clear them
      from those trees, add them back (unpin) to the free space caches and, if
      the fs was mounted with "-o discard", perform a discard on those regions.
      Also, after adding the regions to the free space caches, a fitrim ioctl call
      can see those ranges in a block group's free space cache and perform a discard
      on the ranges, so the same issue can happen without "-o discard" as well.
      
      This causes corruption, affecting one or multiple btree nodes (in the worst
      case leaving the fs unmountable) because some of those ranges (the ones in
      the fs_info->pinned_extents tree) correspond to btree nodes/leafs that are
      referred by the last committed super block - breaking the rule that anything
      that was committed by a transaction is untouched until the next transaction
      commits successfully.
      
      I ran into this while running in a loop (for several hours) the fstest that
      I recently submitted:
      
        [PATCH] fstests: add btrfs test to stress chunk allocation/removal and fstrim
      
      The corruption always happened when a transaction aborted and then fsck complained
      like this:
      
         _check_btrfs_filesystem: filesystem on /dev/sdc is inconsistent
         *** fsck.btrfs output ***
         Check tree block failed, want=94945280, have=0
         Check tree block failed, want=94945280, have=0
         Check tree block failed, want=94945280, have=0
         Check tree block failed, want=94945280, have=0
         Check tree block failed, want=94945280, have=0
         read block failed check_tree_block
         Couldn't open file system
      
      In this case 94945280 corresponded to the root of a tree.
      Using frace what I observed was the following sequence of steps happened:
      
         1) transaction N started, fs_info->pinned_extents pointed to
            fs_info->freed_extents[0];
      
         2) node/eb 94945280 is created;
      
         3) eb is persisted to disk;
      
         4) transaction N commit starts, fs_info->pinned_extents now points to
            fs_info->freed_extents[1], and transaction N completes;
      
         5) transaction N + 1 starts;
      
         6) eb is COWed, and btrfs_free_tree_block() called for this eb;
      
         7) eb range (94945280 to 94945280 + 16Kb) is added to
            fs_info->pinned_extents (fs_info->freed_extents[1]);
      
         8) Something goes wrong in transaction N + 1, like hitting ENOSPC
            for example, and the transaction is aborted, turning the fs into
            readonly mode. The stack trace I got for example:
      
            [112065.253935]  [<ffffffff8140c7b6>] dump_stack+0x4d/0x66
            [112065.254271]  [<ffffffff81042984>] warn_slowpath_common+0x7f/0x98
            [112065.254567]  [<ffffffffa0325990>] ? __btrfs_abort_transaction+0x50/0x10b [btrfs]
            [112065.261674]  [<ffffffff810429e5>] warn_slowpath_fmt+0x48/0x50
            [112065.261922]  [<ffffffffa032949e>] ? btrfs_free_path+0x26/0x29 [btrfs]
            [112065.262211]  [<ffffffffa0325990>] __btrfs_abort_transaction+0x50/0x10b [btrfs]
            [112065.262545]  [<ffffffffa036b1d6>] btrfs_remove_chunk+0x537/0x58b [btrfs]
            [112065.262771]  [<ffffffffa033840f>] btrfs_delete_unused_bgs+0x1de/0x21b [btrfs]
            [112065.263105]  [<ffffffffa0343106>] cleaner_kthread+0x100/0x12f [btrfs]
            (...)
            [112065.264493] ---[ end trace dd7903a975a31a08 ]---
            [112065.264673] BTRFS: error (device sdc) in btrfs_remove_chunk:2625: errno=-28 No space left
            [112065.264997] BTRFS info (device sdc): forced readonly
      
         9) The clear kthread sees that the BTRFS_FS_STATE_ERROR bit is set in
            fs_info->fs_state and calls btrfs_cleanup_transaction(), which in
            turn calls btrfs_destroy_pinned_extent();
      
         10) Then btrfs_destroy_pinned_extent() iterates over all the ranges
             marked as dirty in fs_info->freed_extents[], and for each one
             it calls discard, if the fs was mounted with "-o discard", and
             adds the range to the free space cache of the respective block
             group;
      
         11) btrfs_trim_block_group(), invoked from the fitrim ioctl code path,
             sees the free space entries and performs a discard;
      
         12) After an umount and mount (or fsck), our eb's location on disk was full
             of zeroes, and it should have been untouched, because it was marked as
             dirty in the fs_info->pinned_extents tree, and therefore used by the
             trees that the last committed superblock points to.
      
      Fix this by not performing a discard and not adding the ranges to the free space
      caches - it's useless from this point since the fs is now in readonly mode and
      we won't write free space caches to disk anymore (otherwise we would leak space)
      nor any new superblock. By not adding the ranges to the free space caches, it
      prevents other code paths from allocating that space and write to it as well,
      therefore being safer and simpler.
      
      This isn't a new problem, as it's been present since 2011 (git commit
      acce952b).
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bc5e18c1
    • Josef Bacik's avatar
      Btrfs: do not move em to modified list when unpinning · f2595264
      Josef Bacik authored
      commit a2804695 upstream.
      
      We use the modified list to keep track of which extents have been modified so we
      know which ones are candidates for logging at fsync() time.  Newly modified
      extents are added to the list at modification time, around the same time the
      ordered extent is created.  We do this so that we don't have to wait for ordered
      extents to complete before we know what we need to log.  The problem is when
      something like this happens
      
      log extent 0-4k on inode 1
      copy csum for 0-4k from ordered extent into log
      sync log
      commit transaction
      log some other extent on inode 1
      ordered extent for 0-4k completes and adds itself onto modified list again
      log changed extents
      see ordered extent for 0-4k has already been logged
      	at this point we assume the csum has been copied
      sync log
      crash
      
      On replay we will see the extent 0-4k in the log, drop the original 0-4k extent
      which is the same one that we are replaying which also drops the csum, and then
      we won't find the csum in the log for that bytenr.  This of course causes us to
      have errors about not having csums for certain ranges of our inode.  So remove
      the modified list manipulation in unpin_extent_cache, any modified extents
      should have been added well before now, and we don't want them re-logged.  This
      fixes my test that I could reliably reproduce this problem with.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f2595264
    • Michael Halcrow's avatar
      eCryptfs: Remove buggy and unnecessary write in file name decode routine · 8ffea99d
      Michael Halcrow authored
      commit 94208064 upstream.
      
      Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
      end of the allocated buffer during encrypted filename decoding. This
      fix corrects the issue by getting rid of the unnecessary 0 write when
      the current bit offset is 2.
      Signed-off-by: default avatarMichael Halcrow <mhalcrow@google.com>
      Reported-by: default avatarDmitry Chernenkov <dmitryc@google.com>
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8ffea99d
    • Tyler Hicks's avatar
      eCryptfs: Force RO mount when encrypted view is enabled · c1b5e3f8
      Tyler Hicks authored
      commit 332b122d upstream.
      
      The ecryptfs_encrypted_view mount option greatly changes the
      functionality of an eCryptfs mount. Instead of encrypting and decrypting
      lower files, it provides a unified view of the encrypted files in the
      lower filesystem. The presence of the ecryptfs_encrypted_view mount
      option is intended to force a read-only mount and modifying files is not
      supported when the feature is in use. See the following commit for more
      information:
      
        e77a56dd [PATCH] eCryptfs: Encrypted passthrough
      
      This patch forces the mount to be read-only when the
      ecryptfs_encrypted_view mount option is specified by setting the
      MS_RDONLY flag on the superblock. Additionally, this patch removes some
      broken logic in ecryptfs_open() that attempted to prevent modifications
      of files when the encrypted view feature was in use. The check in
      ecryptfs_open() was not sufficient to prevent file modifications using
      system calls that do not operate on a file descriptor.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reported-by: default avatarPriya Bansal <p.bansal@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c1b5e3f8
    • Jan Kara's avatar
      udf: Verify symlink size before loading it · 2bf2e3b9
      Jan Kara authored
      commit a1d47b26 upstream.
      
      UDF specification allows arbitrarily large symlinks. However we support
      only symlinks at most one block large. Check the length of the symlink
      so that we don't access memory beyond end of the symlink block.
      Reported-by: default avatarCarl Henrik Lunde <chlunde@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2bf2e3b9
    • Oleg Nesterov's avatar
      exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting · 259c1c87
      Oleg Nesterov authored
      commit 24c037eb upstream.
      
      alloc_pid() does get_pid_ns() beforehand but forgets to put_pid_ns() if it
      fails because disable_pid_allocation() was called by the exiting
      child_reaper.
      
      We could simply move get_pid_ns() down to successful return, but this fix
      tries to be as trivial as possible.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Aaron Tomlin <atomlin@redhat.com>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
      Cc: Sterling Alexander <stalexan@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      259c1c87